A short trip to OpenWRT

Coming from Linux on desktops/servers the OpenWRT environment is very similar. However, to not get confused, you must switch to the mental model in which you’re no longer the consuming endpoint of the network, but it’s enabling infrastructure.

The router

For this exploration of OpenWRT concepts, the Slate (GL-AR750S-Ext) router was used. It came with a preinstalled OpenWRT so that was one less step to do.

It has 2.4GHz and 5Ghz Wifi and 3 physical ethernet ports of which one is referenced as a WAN port. Before going further let’s try to answer some questions up front.

  • What would you expect to see as the result of ifconfig?

  • Which of the interfaces will have an IP address?

Here is the compressed output of ifconfig:

br-lan (
eth0.2 (

The wlans seem as expected, but how do other interfaces relate to what’s physically on the device?

For explaining that some new concepts need to be introduced.

The Bridge

The bridge is a software mechanism that connects multiple network interfaces together. This connecting/bridging is all happening inside the router, on the SoC (System on Chip) running OpenWRT.

Conceptually it’s like a virtual layer 2 network switch inside the router. You can, again conceptually, plug the network interfaces into the virtual switch making everything connected to those network interfaces part of the same layer 2 network.

The image contains the, still mysterious, eth0.1. For now, it’s ok to just perceive it as an Ethernet port. It just serves to show that bridging isn’t limited to WiFi. We’ll examine it more in the upcoming paragraph.

brctl command is used for doing bridge related operations. i.e. listing bridged interfaces:

root@GL-AR750S:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.e4956e459d86       no              eth0.1

Perhaps that clears what bridging does, but we started by detecting br-lan as a network interface itself:

br-lan    Link encap:Ethernet  HWaddr E4:95:6E:45:9D:86
          inet addr:  Bcast:  Mask:
          inet6 addr: fd8a:5278:9ed6::1/60 Scope:Global                 
          inet6 addr: fe80::e695:6eff:fe45:9d86/64 Scope:Link           
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1            
          RX packets:1134131 errors:0 dropped:0 overruns:0 frame:0      
          TX packets:1994323 errors:0 dropped:0 overruns:0 carrier:0    
          collisions:0 txqueuelen:1000
          RX bytes:114989802 (109.6 MiB)  TX bytes:2407107022 (2.2 GiB) 

Why is it listed under network interfaces and has an IP address?

Following the analogy an internal switch, the bridge network interface br-lan is a port not reachable from outside of the router.

Don’t know if this was a purposeful design decision (An interface that causes the least confusion?) or was just dictated by the implementation. In terms of usage, once a network interface (i.e. eth0 or wlan0) is a part of the bridge (br-lan) it should not have an IP of its own. The bridge interface takes on the responsibility of having the IP.

In the case of this router, the bridge is assigned and that is the address to reach the admin interface regardless if you’re connected via wifi or cable.

On more info when and why does this makes sense, please check the following references:

The Switch

The bridge was introduced as a virtual switch inside the router. However, there is also the actual physical switch, a chip on the router PCB that can perform switching without the help of the SoC. A little search through dmesg reveals it:

[    1.174747] switch0: Atheros AR8337 rev. 2 switch registered on ag71xx-mdio.0

Let’s try and find it in the output we started with:

br-lan (
eth0.2 (

On first sight one could assume the following:

There are 3 eth interfaces and 3 visible physical ports. The WAN port (eth0.2) has an IP address, and the other two (eth0, eth0.1) represent the other two ports… Solved! … however, this is more incorrect then it isn’t :)

You remember how the bridge/virtual switch shows itself as the br-lan interface, well the physical switch doesn’t show itself in the ifconfig output. It is managed with swconfig, a dedicated application that communicates directly with the switch driver.

All the eth0's represent the single Ethernet port of the main SoC of the router. If instead of a router this device was used as a laptop, the eth0 would represent the port to which you would plug in the cable to get wired internet. Again, conceptually, since you can’t really reach it without soldering.

And finally the eth0.1 and eth0.2. They represent the VLAN’s that eth0 has been configured to belong to.

The physical switch is configured to add VLAN tags depending on the physical ports the connection originates from. This provides a MAC layer separation between ports even though they belong to the same switch.

All those connections reach the SoC through its single Ethernet port (eth0), but it is additionally configured to express them as dedicated interfaces.


Two concepts one should grasp when looking at the world from the shell of a router:

  • bridge
    • a virtual switch provided by a software module
    • a “switch” which “bridges” interfaces to the same layer 2 network
    • registers itself as a network interface (br-lan)
  • switch
    • a separate physical chip on the router PCBa
    • differentiates physical ports by grouping them into VLANs
    • VLANs visibility provided from the main SoC
    • switch managed through a dedicated CLI app swconfig

This was likely just scratching the surface of what’s going on in OpenWRT. Hopefully, it gives a conceptual overview of how the interfaces are presented and some dry land to start the further exploration from.

Written on April 20, 2019